Skip to content

Fix docs gh-pages push hanging until job timeout#9548

Open
atalman wants to merge 1 commit into
mainfrom
fix-docs-ghpages-push-auth
Open

Fix docs gh-pages push hanging until job timeout#9548
atalman wants to merge 1 commit into
mainfrom
fix-docs-ghpages-push-auth

Conversation

@atalman

@atalman atalman commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

The upload job's docs push to gh-pages has been hanging until the 60-minute job timeout on tag/main pushes (deterministic, not a flake): both the v0.27.0 and v0.28.0 runs show build succeeding and upload cancelled ~59 min into a silent git push. Automated pytorchbot "auto-generating sphinx docs" commits on gh-pages stop at 2026-01-21; every release since was pushed manually.

Root cause

The git push runs inside the build container (repo mounted at /pytorch/vision). actions/checkout stores the auth header in a temp file wired via path-scoped includeIf.gitdir for the runner-host path and /github/workspace/...neither matches /pytorch/vision/.git. So the push is unauthenticated; with a TTY and no credential helper, git blocks on an interactive credential prompt until the timeout.

Fix — this authenticates the push so it succeeds

The real fix is giving the push valid credentials. SECRET_GITHUB_TOKEN is already present in the container and the job has contents: write, so we push with an explicit token:

export GIT_TERMINAL_PROMPT=0
git push "https://x-access-token:${SECRET_GITHUB_TOKEN}@github.com/pytorch/vision" HEAD:gh-pages

GIT_TERMINAL_PROMPT=0 is only a safety net (turns any future auth problem into an immediate error instead of a 60-min hang); the authenticated URL is what makes the push actually complete.

Verification that the push succeeds (not just fails fast)

  • The tokenized-URL form authenticates against pytorch/vision: git ls-remote https://x-access-token:<token>@github.com/pytorch/vision gh-pages returns the ref, no prompt.
  • gh-pages is not a protected branch, and the token has push/contents: write, so the push is authorized to write.
  • SECRET_GITHUB_TOKEN is confirmed populated in the container (the failing 0.28 run logged ALL_SECRETS: {"github_token":"***"}), and run_with_env_secrets.py exports it as SECRET_GITHUB_TOKEN.
  • After merge, the first push to main will exercise this path and should land a fresh auto-generating sphinx docs commit on gh-pages within minutes (instead of timing out) — the authoritative end-to-end confirmation.

AI assistance (Claude) was used for this change.

The upload job's git push runs inside the build container, where the repo is
mounted at /pytorch/vision. The credentials persisted by actions/checkout are
scoped via includeIf.gitdir to the runner-host checkout path (and
/github/workspace), neither of which matches the container mount, so the bare
git push is unauthenticated. With a TTY attached and no credential helper, git
blocks on an interactive prompt and the job is cancelled at the 60-minute
timeout. This has silently broken the automated docs upload since ~2026-01-21
(0.27 and 0.28 tag uploads both timed out; docs were pushed manually after).

Push with an explicit token (SECRET_GITHUB_TOKEN is available in the container)
and set GIT_TERMINAL_PROMPT=0 so auth failures fail fast.

Co-authored-by: Claude
@pytorch-bot

pytorch-bot Bot commented Jul 9, 2026

Copy link
Copy Markdown

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/vision/9548

Note: Links to docs will display an error until the docs builds have been completed.

❌ 2 Pending, 2 Unrelated Failures, 1 Unclassified Failure

As of commit b9cd225 with merge base 66089cf (image):

UNCLASSIFIED FAILURE - DrCI could not classify the following job because the workflow did not run on the merge base. The failure may be pre-existing on trunk or introduced by this PR:

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@meta-cla meta-cla Bot added the cla signed label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants